Researchers Find Amazon Alexa Can Be Hacked to Record Users

From “Researchers Find Amazon Alexa Can Be Hacked to Record Users”
eWeek (04/25/18) Kerner, Sean Michael. Posted by ASIS.

The security firm Checkmarx on April 25 disclosed it has found that a malicious developer can trick Amazon’s Alexa voice assistant technology to record everything a user says. It is currently unclear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa’s technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device. “Customer trust is important to us, and we take security and privacy seriously,” an Amazon spokesperson stated. “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.” The Checkmarx research found that an attacker could manipulate an Alexa Skill, which can be installed by unsuspecting users and doesn’t require any physical access or tampering with the Amazon Echo smart speaker. “The problem is that the attack we described leaves no trace, so a naïve user will not be able to know,” said Erez Yalon, manager of application security research at Checkmarx. “It makes sense that with the info they have now, Amazon can check if the Amazon Store hosts any malicious Alexa Skills.”

People Are Often Too Embarrassed to React to Emergencies at Work — Here’s How to Stay Safe Should the Worst Happen

From “People Are Often Too Embarrassed to React to Emergencies at Work — Here’s How to Stay Safe Should the Worst Happen”
Business Insider (04/09/18) Cain, Áine. Posted by ASIS.

Threat management and workplace violence expert Dr. Laurence Barton says employers should encourage workers to trust their instincts and remain “situationally aware” on the job, instead of emphasizing shooting drills and tactical exercises. He says employers need to adopt flexible emergency plans and policies that empower employees to trust their intuition, rather than static ones. For example, instead of telling workers to evacuate the building and meet up at another location, Barton said to order employees to evacuate and keep moving until they feel safe. Static plans can endanger lives, in the event of unforeseen circumstances, such as an attacker who is familiar with the contingency plans. A flexible plan should encourage individuals to do whatever they need to do to make themselves safe. He says workers struggle to follow their intuition at work, because they are lulled into a false sense of security and are fearful of appearing paranoid in the workplace. When dangers arise in the office, people often experience a sense of disbelief and paralysis. Barton has interviewed numerous survivors of violent workplace incidents, many of whom describe freezing up and not acting on the opportunity to flee. A situationally-aware person would identify a potential threat, such as loud popping sounds, trust their instincts and take decisive action such as evacuating the building.

Scam alert: If your own number is calling you, don’t pick up

SPARTANBURG, S.C. (WSPA) – A new, disturbing twist on a spoofing scam call could do a number on you.

By now, you’ve likely heard of scams calls spoofed from a real number where that person has no clue his digits are being used. But, what about seeing your own number pop up on your caller ID?

Kiara Milks got a a call Monday night from her own number, and was curious.

“So, I answered and they said,’Hey, this is so and so from the phone company and I’m just calling to tell you that your account has been hacked and I want to verify a few things with you to let you know.'”

Those few little things: your Social Security number and telephone account number.

“It definitely would be one of our top scams, spoofing. It sounds like it’s pretty easy for scammers to do.  And it’s pretty easy for consumers to fall for,” said Vee Daniel with the Better Business Bureau.

She is specially concerned about seniors falling for this latest twist, one that’s blanketing the area.

“Some of my friends from church had also had an encounter last night around 10:30,” said Milks.

Through social media she found out in recent days people have been getting that call across the Upstate.

Imposter scams, including this latest spoofing call, account for nearly 50 percent of the 1,400 scams reported to the Department of Consumer Affairs in 2017 alone.

Some other scams to watch out for right now:

  • Bogus job offers that try to steal your personal information.
  • Rental scams that post stolen photos of real homes and make off with your down payment.

As for Milks, they might have known her number, but she wasn’t about to let the scammers do a number on her.

“It’s kind of scary to be honest because you don’t know how many people are actually giving their account information,” she said.

Urgent- New Email Scam Targeting REALTORS®

From the National Association of REALTORS®
A phishing email, purportedly from the “REALTOR® Party via DocuSign,” has been sent to some NAR members. NAR says the email, which contains an attachment, is a phishing attempt, and recipients should delete it. If you’ve opened the email and entered your DocuSign credentials, you should log into DocuSign and change your password immediately. Remember never to take action on or click on any links in emails that appear suspicious or for which you cannot verify the sender via a telephone call. It’s a good idea to provide this advice to clients, too. Learn about other actions you can take to secure your network and sensitive information.

YouTube Shooting Puts a Focus on Workplace Security

From “YouTube Shooting Puts a Focus on Workplace Security”
New York Times (04/06/18) Hsu, Tiffany; Nicas, Jack. Posted by ASIS.

Silicon Valley firms are known for corporate headquarters that resemble universities, where employees mingle with tourists, executives stroll between meetings without an obvious security detail, and collaborations take shape out on the quad. However, such places are difficult to secure. The shooting this week at the headquarters of YouTube, a Google-owned company in San Bruno, Calif., has highlighted the security risks of Silicon Valley’s relatively open corporate campuses — particularly as tech companies’ expanding influence angers more people online. The risk is not confined to the tech sector. Many companies across the country are similarly exposed, reflecting an open-door policy that for generations has pervaded corporate America, where safety training has long focused on fire drills, earthquake-sheltering procedures, and accident cleanup. Many companies now send their security personnel to gun ranges to test active-shooter threats in virtual reality. Insurance providers are offering lower premiums for corporate clients with stronger security. “If you can’t protect the work force, you’re putting your entire operation at risk,” says Arnette Heintze, a former Secret Service agent who runs a security consulting firm. Companies of all kinds have stepped up security. General Mills has made physical changes to its building in Minneapolis to better prepare for an active shooter situation. Wendy’s has installed upgraded security cameras throughout its headquarters in Dublin, Ohio; set up advanced access control systems that can lock down different parts of the facility; and upgraded its phone systems with emergency messaging capabilities.